Crypto++ 5.6.5

Crypto++ 5.6.5 was released on October 11, 2016. The 5.6.5 release was mostly a
maintenance release. The release included two CVE fixes.

The first, CVE-2016-7420, was a procedural finding due to external build systems
failing to define NDEBUG for release builds. The gap was the project's failure
to tell users to define NDEBUG. The second, CVE-2016-7544, was a potential
memory corruption on Windows platforms when using Microsoft compilers due to use of
_malloca and _freea.

Due to CVE-2016-7420 and the possibility for an unwanted assert to egress
data, users and distros are encouraged to recompile the library and all dependent
programs.

Download

The download is available from the Crypto++ website. The checksums for the download
are below.

Bug Fixes and Minor Issues

The bug fix and minor issue list for Crypto++ 5.6.5 follows. Most non-trivial issues
are tracked for auditing and C&A purposes, but the list may not be complete. A
number in parenthesis is the GitHub Issue number, if it was
tracked. Sometimes a Git commit is referenced, but many trivial GitHub commits are
omitted. Missing Issue numbers or lack of consecutiveness usually indicates feature
requests and "won't fix/can't fix" type reports.

The list below has about 20 issues. The project's test scripts, cryptest.sh
and cryptest.nmake, uncovered about 16 (80.0%) of them.

In Crypto++ 5.6.4 and below word64 was unconditionally defined to
unsigned long long on 32-bit and 64-bit platforms. Crypto++ 5.6.5
defined word64 to unsigned long on 64-bit machines due
to compile problems with GCC and Clang when using SSE and NEON data types through
intrinsics. Crypto++ 5.6.5 increased use of SSE and NEON intrinsics, and calls to SSE
and NEON APIs had some hacks that were cleaned up.

Below if from config.h, and it is reposnsible for the "missing unsigned
long long" issue.

To go back to Crypto++ 5.6.4, you have two choices. First, you can use
config.compat in place of config.h to restore the compatibility.
Second, you can remove the __LP64__ block. Be advised we did not test this
configuration, so it may not completely clear the "missing unsigned long long"
issue.

Since this break was unknown to the project, it was identified as a gap in our
testing process. Commit
385a3914d6cfdc88 added a script to test for missing symbols by linking
cryptest.exe against different versions of the dynamic library. For example,
Crypto++ 5.6.4 cryptest.exe will runtime link against Crypto++ 5.6.5
libcryptopp.so or libcryptopp.dylib to nsure no symbols go
missing.